There is a strong parameters bypass vector in ActionPack. In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.
Created rubygem-actionpack tracking bugs for this issue:
Affects: fedora-all [bug 1842635]
Red Hat CloudForms and Red Hat Satellite ship affected RubyGem actionpack and uses strong parameters, however, products are not vulnerable since safe return values are used in product code.